All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

@ITWhisperer No, its not about the search  | where _time=$eventid$ OR EventID=$eventid$ OR Server=$eventid$ OR Message=$eventid$ OR Severity=$eventid$ Make it as simple, when you search for... See more...
@ITWhisperer No, its not about the search  | where _time=$eventid$ OR EventID=$eventid$ OR Server=$eventid$ OR Message=$eventid$ OR Severity=$eventid$ Make it as simple, when you search for specific values in any field (for example, EventID, Server, Message, or Severity) in the search input "Textbox", the system will display relevant data related to those fields. This allows for easy and straightforward searching based on the criteria. Reference Image: In the code I provided earlier, what changes are necessary for token-related conditions?
Hi @phanikumarcs , at first, if you want o use the text input only on eventid input, you should modify your search in : <row> <panel> <title>EventID-Severity Matrix</title> <input ty... See more...
Hi @phanikumarcs , at first, if you want o use the text input only on eventid input, you should modify your search in : <row> <panel> <title>EventID-Severity Matrix</title> <input type="text" token="eventid" searchWhenChanged="true"> <label>Search EventID</label> <prefix>EventID="</prefix> <suffix>"</suffix> </input> <table> <search> <query> index IN ("foo1", "foo2", "foo3") host IN ("goo1", "goo2", "goo3", "goo4") EventID IN ("1", "1021", "1069") Name=* $eventid$ | fields EventID Name host | eval Severity=case( EventID="1", "Information", EventID="1021", "Warning", EventID="1069", "Critical",) | rename Name as Message, host as Server | table _time, EventID, Server, Message, Severity</query> <earliest>$time.earliest$</earliest> <latest>$time.latest$</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> otherwise the token will search on the raw text instead on the EventID field. Then is eventid a field present in all the events or only in part of them? if you use * in the text box, you exclude from the results the events without the EventID field. Ciao. Giuseppe
At first glance, there doesn't appear to be anything wrong with your search as you have shown it. Please can you give some examples of events which are not found and the search string used which fail... See more...
At first glance, there doesn't appear to be anything wrong with your search as you have shown it. Please can you give some examples of events which are not found and the search string used which failed to find the events?
Since you didn't provide any sample events I had to guess - since you still haven't provided any sample events I can only guess whether this is right or not. Since it apparently isn't giving what you... See more...
Since you didn't provide any sample events I had to guess - since you still haven't provided any sample events I can only guess whether this is right or not. Since it apparently isn't giving what you want, I would guess it isn't right. In your search, what is count? Is it a field in your events?
@gcusello Here is the code <row> <panel> <title>EventID-Severity Matrix</title> <input type="text" token="eventid" searchWhenChanged="true"> <label>Search EventID</label> </input> <table> <... See more...
@gcusello Here is the code <row> <panel> <title>EventID-Severity Matrix</title> <input type="text" token="eventid" searchWhenChanged="true"> <label>Search EventID</label> </input> <table> <search> <query>index IN ("foo1", "foo2", "foo3") host IN ("goo1", "goo2", "goo3", "goo4") EventID IN ("1", "1021", "1069") Name=* $eventid$ |fields EventID Name host | eval Severity=case( EventID="1", "Information", EventID="1021", "Warning", EventID="1069", "Critical",) | rename Name as Message, host as Server | table _time, EventID, Server, Message, Severity</query> <earliest>$time.earliest$</earliest> <latest>$time.latest$</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row>
  What is the field used as "volume" ? Is it similar to "count" in stats to get volume ?  I tried this but not working and tried a portion of your query  | bin _time span=1h | stats sum(count) as... See more...
  What is the field used as "volume" ? Is it similar to "count" in stats to get volume ?  I tried this but not working and tried a portion of your query  | bin _time span=1h | stats sum(count) as volume by _time component Its not reporting anything under volume
| where _time=$eventid$ OR EventID=$eventid$ OR Server=$eventid$ OR Message=$eventid$ OR Severity=$eventid$
Hi @phanikumarcs, the input code you share isn't complete, could you share the complete form code? with special attention to the panel's search that uses the text input token. Ciao. Giuseppe
| bin _time span=1h | stats sum(volume) as volume by _time component | bin _time span=1mon | chart max(volume) as volume by component _time | addtotals | eval Average=Total/3
Hi All,  @ITWhisperer @renjith_nair @woodcock  From the above "Textbox" input and panel for (_time, EventID, Server, Message, Severity) "Textbox" Settings:             <input type="text... See more...
Hi All,  @ITWhisperer @renjith_nair @woodcock  From the above "Textbox" input and panel for (_time, EventID, Server, Message, Severity) "Textbox" Settings:             <input type="text" token="eventid" searchWhenChanged="true">             <label>Search EventID</label>             </input> When I search in the "Textbox" using an "EventID", it only displays results based on the EventID values. However, when I search using other parameters such as "_time", "Server", "Message", or "Severity", it does not retrieve any results. Can anyone assist me with creating a conditional search for any of the following fields in a above  table: _time, EventID, Server, Message, or Severity? When I search for any value in these fields, I want the corresponding records to be displayed. Either in UI or Source need the settings.  
So, why is Lat/Long included as a data point? Even the tutorial I'm following has the same result, but surely there is a way to not show these since its sort of meaningless? (And don't call me Shirle... See more...
So, why is Lat/Long included as a data point? Even the tutorial I'm following has the same result, but surely there is a way to not show these since its sort of meaningless? (And don't call me Shirley!)  
Hi Team, I want to calculate peak hourly volume of each month for each service. Each service can have different peak times and first need to calculate peak hour of each component for the month. Like... See more...
Hi Team, I want to calculate peak hourly volume of each month for each service. Each service can have different peak times and first need to calculate peak hour of each component for the month. Likewise calculate for last 3 months. Then calculate the average of 3 months peak hourly volume. Below table is the sample requirement.   January-24 February-24 March-24 Avg Volume service1 20 50 20 30 service2 4 3 8 5 service3 20 30 40 30 service4 30000 30000 9000 23000 service5 200 300 400 300
Good lord. that was too easy. Appreciate the help. I keep forgetting I'm in a 'Nix world now. Thank goodness PowerShell doesn't mind capitalization rule breakage.
Hi Team, Please help me for the below information/question. Thanks
@poojabolla Hi Pooja, the index names on the source (open shift) and destination (Splunk) should match. Therefore, the index should only contain the data. Open shift logs should not be sent to Splunk... See more...
@poojabolla Hi Pooja, the index names on the source (open shift) and destination (Splunk) should match. Therefore, the index should only contain the data. Open shift logs should not be sent to Splunk if the index name differs.
Yes, I have a summary search which ends in: | eval _time = _time + 3600 This set the timestamp of the summary-indexed events to one hour in the future. Then, when I search for the summarized even... See more...
Yes, I have a summary search which ends in: | eval _time = _time + 3600 This set the timestamp of the summary-indexed events to one hour in the future. Then, when I search for the summarized events using the time filter of "Last 24 hours", it does not find any events (as expected). When I search for the summarized events with a custom time filter from +1m to +2h, then it does find the events, timestamped one hour in the future. Thus this method should be useful for setting the timestamps of your summarized index events to be in your expected search window.
The question could be worded better. You could ask your instructor if they want you to "estimate how many users, in each user category, have performed a successful authentication." If that is the qu... See more...
The question could be worded better. You could ask your instructor if they want you to "estimate how many users, in each user category, have performed a successful authentication." If that is the question being asked, then you could filter to only successful authentications and then use the statistics commands in Splunk to produce a table counting how many different users in each category have successfully authenticated.
Hi @Ryan.Paredez , Unfortunately, I have not found any resolution for my issue just yet and it is not clear in the documentation how to use: dbagent.mssql.cluster.discovery.enabled from the Cont... See more...
Hi @Ryan.Paredez , Unfortunately, I have not found any resolution for my issue just yet and it is not clear in the documentation how to use: dbagent.mssql.cluster.discovery.enabled from the Controller UI.  Thank  you, Osama
The typical case of disappearing users is connected to the issue of grantable roles. See https://community.splunk.com/t5/Splunk-Enterprise/Splunk-Enterprise-upgrade-to-9-1-0-1-all-users-disappeared/... See more...
The typical case of disappearing users is connected to the issue of grantable roles. See https://community.splunk.com/t5/Splunk-Enterprise/Splunk-Enterprise-upgrade-to-9-1-0-1-all-users-disappeared/m-p/650181
Yep. tstats and timechart is a good way to go about finding out if you have some significant changes in your event counts (as opposed to normal daily/weekly variance). You can draw yourself a nice li... See more...
Yep. tstats and timechart is a good way to go about finding out if you have some significant changes in your event counts (as opposed to normal daily/weekly variance). You can draw yourself a nice line/bar chart and easily see visually if your event rates are changing. You can use different aggregations to investigate it further (by sourcetype, by source, by host...). Typically event size distribution should not change much unless there has been some change on the source's side (but if you have many different sources, such change on just one or two sources would not reflect much on overall data rate unless of course you have a single source "dominating" in your data).